public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: - fix CVE-2009-4355 - leak in applications incorrectly calling
Date: Tue, 09 Jun 2026 12:42:03 GMT [thread overview]
Message-ID: <178100892366.1.4866234679785496058.rpms-openssl-79249339a7ed@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 79249339a7ede8054be53d22ea30ef0c1afd68b8
Author : Tomáš Mráz <tmraz@fedoraproject.org>
Date : 2010-01-14T08:57:34+00:00
Stats : +88/-3 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/79249339a7ede8054be53d22ea30ef0c1afd68b8?branch=rebase_40beta
Log:
- fix CVE-2009-4355 - leak in applications incorrectly calling
CRYPTO_free_all_ex_data() before application exit (#546707)
- upstream fix for future TLS protocol version handling
---
diff --git a/openssl-1.0.0-beta4-cve-2009-4355.patch b/openssl-1.0.0-beta4-cve-2009-4355.patch
new file mode 100644
index 0000000..61f0cd6
--- /dev/null
+++ b/openssl-1.0.0-beta4-cve-2009-4355.patch
@@ -0,0 +1,49 @@
+Modify compression code so it frees up structures without using the
+ex_data callbacks. This works around a problem where some applications
+call CRYPTO_free_all_ex_data() before application exit (e.g. when
+restarting) then use compression (e.g. SSL with compression) later.
+This results in significant per-connection memory leaks and
+has caused some security issues including CVE-2008-1678 and
+CVE-2009-4355.
+[Steve Henson]
+diff -up openssl-1.0.0-beta4/crypto/comp/c_zlib.c.compleak openssl-1.0.0-beta4/crypto/comp/c_zlib.c
+--- openssl-1.0.0-beta4/crypto/comp/c_zlib.c.compleak 2008-12-13 18:19:40.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/comp/c_zlib.c 2010-01-13 22:06:20.000000000 +0100
+@@ -136,15 +136,6 @@ struct zlib_state
+
+ static int zlib_stateful_ex_idx = -1;
+
+-static void zlib_stateful_free_ex_data(void *obj, void *item,
+- CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
+- {
+- struct zlib_state *state = (struct zlib_state *)item;
+- inflateEnd(&state->istream);
+- deflateEnd(&state->ostream);
+- OPENSSL_free(state);
+- }
+-
+ static int zlib_stateful_init(COMP_CTX *ctx)
+ {
+ int err;
+@@ -188,6 +179,12 @@ static int zlib_stateful_init(COMP_CTX *
+
+ static void zlib_stateful_finish(COMP_CTX *ctx)
+ {
++ struct zlib_state *state =
++ (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
++ zlib_stateful_ex_idx);
++ inflateEnd(&state->istream);
++ deflateEnd(&state->ostream);
++ OPENSSL_free(state);
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
+ }
+
+@@ -402,7 +399,7 @@ COMP_METHOD *COMP_zlib(void)
+ if (zlib_stateful_ex_idx == -1)
+ zlib_stateful_ex_idx =
+ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
+- 0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
++ 0,NULL,NULL,NULL,NULL);
+ CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
+ if (zlib_stateful_ex_idx == -1)
+ goto err;
diff --git a/openssl-1.0.0-beta4-tlsver.patch b/openssl-1.0.0-beta4-tlsver.patch
new file mode 100644
index 0000000..88282f9
--- /dev/null
+++ b/openssl-1.0.0-beta4-tlsver.patch
@@ -0,0 +1,27 @@
+Fix handling of future TLS versions.
+diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.tlsver openssl-1.0.0-beta4/ssl/s23_srvr.c
+--- openssl-1.0.0-beta4/ssl/s23_srvr.c.tlsver 2010-01-12 22:20:15.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2010-01-13 22:02:47.000000000 +0100
+@@ -315,7 +315,7 @@ int ssl23_get_client_hello(SSL *s)
+ (p[1] == SSL3_VERSION_MAJOR) &&
+ (p[5] == SSL3_MT_CLIENT_HELLO) &&
+ ((p[3] == 0 && p[4] < 5 /* silly record length? */)
+- || (p[9] == p[1])))
++ || (p[9] >= p[1])))
+ {
+ /*
+ * SSLv3 or tls1 header
+@@ -339,6 +339,13 @@ int ssl23_get_client_hello(SSL *s)
+ v[1] = TLS1_VERSION_MINOR;
+ #endif
+ }
++ /* if major version number > 3 set minor to a value
++ * which will use the highest version 3 we support.
++ * If TLS 2.0 ever appears we will need to revise
++ * this....
++ */
++ else if (p[9] > SSL3_VERSION_MAJOR)
++ v[1]=0xff;
+ else
+ v[1]=p[10]; /* minor version according to client_version */
+ if (v[1] >= TLS1_VERSION_MINOR)
diff --git a/openssl.spec b/openssl.spec
index 2724b5e..5afb7a7 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
-Release: 0.18.%{beta}%{?dist}
+Release: 0.19.%{beta}%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -73,6 +73,8 @@ Patch66: openssl-1.0.0-beta4-backports2.patch
Patch67: openssl-1.0.0-beta4-reneg-scsv.patch
Patch68: openssl-1.0.0-beta4-tls-comp.patch
Patch69: openssl-1.0.0-beta4-aesni.patch
+Patch70: openssl-1.0.0-beta4-tlsver.patch
+Patch71: openssl-1.0.0-beta4-cve-2009-4355.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -162,6 +164,8 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch67 -p1 -b .scsv
%patch68 -p1 -b .tls-comp
%patch69 -p1 -b .aesni
+%patch70 -p1 -b .tlsver
+%patch71 -p1 -b .compleak
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -410,6 +414,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig
%changelog
+* Thu Jan 14 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.19.beta4
+- fix CVE-2009-4355 - leak in applications incorrectly calling
+ CRYPTO_free_all_ex_data() before application exit (#546707)
+- upstream fix for future TLS protocol version handling
+
* Wed Jan 13 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.18.beta4
- add support for Intel AES-NI
@@ -543,7 +552,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
- temporarily provide symlink to old soname to make it possible to rebuild
the dependent packages in rawhide
- add eap-fast support (#428181)
-- add possibility to disable zlib by setting
+- add possibility to disable zlib by setting
- add fips mode support for testing purposes
- do not null dereference on some invalid smime files
- add buildrequires pkgconfig (#479493)
@@ -750,7 +759,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
- upgrade to new upstream version (no soname bump needed)
- disable thread test - it was testing the backport of the
RSA blinding - no longer needed
-- added support for changing serial number to
+- added support for changing serial number to
Makefile.certificate (#151188)
- make ca-bundle.crt a config file (#118903)
reply other threads:[~2026-06-09 12:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100892366.1.4866234679785496058.rpms-openssl-79249339a7ed@fedoraproject.org \
--to=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox